An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements.

1. Donald E. Hester
CISSP, CISA, CAP, PSP, MCT
Maze & Associates / San Diego City College
www.LearnSecurity.org

2. Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates, Director
(925) 930-0902
DonaldH@MazeAssociates.com
www.LearnSecurity.org
www.linkedin.com/in/donaldehester
www.facebook.com/group.php?gid=245570977486
Introduction
Updates to this presentation and other resources available on:
www.MazeAssociates.com/resources and www.LearnSecurity.org

3. The Problem
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major
data breaches:
Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale
Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston
Market, Forever 21, DSW and others.

4. Alarming Trend
Number of incidents per year.
Source:

5. Players
• Acquirer (Merchant Bank)
– Bankcard association member that initiates
and maintains relationships with merchants
that accept payment cards
• Hosting Provider
– Offer various services to merchants and
other service providers.
• Merchant
– Provides goods and services for
compensation
• Cardholder
– Customer to whom a card is issued or
individual authorized to use the card
Card Brand
Acquirer
Hosting
Provider
Merchant
Cardholder

6. Players
• Card Brand
– Issue fines
– Determine compliance
requirements
• PCI Security Standards Council
– Maintain standards for PCI
– Administer ASV & QSA
• Qualified Security Assessors
– Certified to provide annual audits
• Approved Scanning Vendor
– Certified to provide quarterly
scans
Card
Brands
PCI SSC
QSA
ASV

7. PCI Council Standards

8. What does the PCI Council do?
• Own and manage PCI DSS, including
maintenance, revisions, interpretation and
distribution
• Define common audit requirements to
validate compliance
• Manage certification process for security
assessors and network scanning vendors
• Establish minimum qualification requirements
• Maintain and publish a list of certified
assessors and vendors

9. Website
https://www.pcisecuritystandards.org/

10. What are the Standards?
• PCI DSS: PCI Data Security Standard
– Overall standard, applies to all
• PA DSS: Payment Application Data Security
Standard
– Supporting standard for payment applications
• PTS (was PED): PIN Transaction Security
Standard
– Supporting standard for PIN entry devices
– Supporting standard for unattended payment
terminals (UPT)

11. PCI DSS
 The Payment Card Industry Data Security
Standard
 6 Objectives (Goals)
 12 Sections (Requirements)
 194 Controls

12. PCI DSS

13. Standard Lifecycle

14. Who must comply?
• With PCI DSS
– Any organization the processes, stores or transmits
credit card information.
• With PA DSS
– Payment application developers
– Merchants will be required to use only compliant
applications by July 2010.
• With PTS
– Manufactures of PIN entry devices
– Merchants will be required to use only compliant
hardware by July 2010.
– MasterCard PTS to incorporate into PCI SSC April 30,
2010

15. PCI Compliance
• This includes:
• Organizations who only use paper based
processing
• Organizations who outsource the credit
card processing
• Organizations that process credit cards in
house

16. Is PCI law?
 The PCI DSS was developed by the
payment card brands
 Compliancy is compulsory if a merchant
wishes to continue processing payment
card transactions
 However, some States have enacted
legislation that has made PCI compliance
the law

17. What if we are a small
organization?
• “All merchants, whether small or
large, need to be PCI compliant.
• The payment brands have collectively
adopted PCI DSS as the requirement
for organizations that process, store
or transmit payment cardholder
data.”
– PCI SSC

18. Cost?
• What happens when there is a data
breach?
– Depends if the merchant can reach safe
harbor.

19. What’s Safe Harbor?
Incident Evaluation
Safe
Harbor
$$$$$$

20. Safe Harbor Notes:
• For a merchant to be considered
compliant, any Service Providers that
store, process or transmit credit card
account data on behalf of the merchant
must also be compliant.
• The submission of compliance validation
documentation alone does not provide
the merchant with safe harbor status.

21. Outside the Safe Harbor
• Losses of cardholders
• Losses of banks
• Losses of card brands
– Fines from the Card brands
– Possible restrictions on process credit cards
– Cost of forensic audit

22. Fines
Merchants may be subject to fines by the card associations if deemed non-
compliant. For your convenience fine schedules for Visa and MasterCard are
outlined below.
http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html

23. PCI DSS
 The Payment Card Industry Data Security
Standard
 6 Objectives (Goals)
 12 Sections (Requirements)
 194 Controls

24. PCI DSS

25. PCI DSS
• Start implementing the data security
standard starting with policies
• Start with high level polices
– “The City shall not store PAN (Credit Card
Numbers) electronically or physically.
Employees shall be trained on PCI standard
annually. Background checks will be
performed on all staff with access to credit
card information.”

26. Create Needed Policies
• What policies do you currently have that
address PCI related issues
• Create needed policies
• See section 12 of the PCI DSS
• You will need to create additional
subordinate policies, procedures or
administrative directives for specific PCI
control requirements
• Every PCI DSS control should be
documented in some policy, procedure,
administrative directive, SOP or schedule

27. PII Policy
• If you already have a policy for handling
confidential information or personally
identifiable information add credit card
information to confidential information
or PII.

28. PCI DSS
• Use the prioritized approach to
implement the most important controls
first.

29. Merchant Levels
Merchant levels are determined by the annual
number of transactions not the dollar amount
of the transactions.
Merchant Level E-commerce transactions All other transactions
Level 1 Over 6 million annually Over 6 million annually
Level 2 1 to 6 million annually 1 to 6 million annually
Level 3 20,000 to 1 million annually N/A
Level 4 Up to 20,000 annually Up to 1 million annually

30. Validation Requirements
Merchant Level QSAAudit Quarterly Network
Scans
Self-Assessment
Questionnaire
Level 1 Yes Yes -
Level 2 * Yes Yes
Level 3 - Yes Yes
Level 4 - Yes Yes
Separate and distinct from the mandate to comply
with the PCI DSS is the validation of compliance
whereby entities verify and demonstrate their
compliance status.
* Starting 12-31-2010 MasterCard will require Annual
QSA Audits for Level 2 Merchants

31. Continuous Process
• “PCI DSS compliance is much more than a
“project” with a beginning and end – It’s an
ongoing process of assessment,
remediation and reporting” - PCI SSC
Assess
ReportRemediate

32. Continuous Process
• Many of the PCI requirements have
specific time interval requirements
• Create a schedule for time based
requirements
• Some organizations already have
‘maintenance calendars’ for these type
of actions

33. Common Findings
• Clients think they are compliant
– Because they do quarterly networks scans
– Because they filled out the SAQ
– Because they have too few transactions
• Reality
– Validation is not compliance
– Compliance is an ongoing process
– PCI DSS is required for all merchants,
regardless of the number of transactions

34. Common Findings
• Payment card information on paper
• No network segmentation
• Logging Access
• Shared Passwords
• Verifying compliance of outsourced
processing
• No one is assigned responsibility
• Not aware of PAN storage in
application

35. PCI Pitfalls
• PCI will not make an
organization’s network or data
secure
• PCI DSS focuses on one type of
data: payment card transactions
• The organization runs the risk of
focusing on one class of data to
the detriment of everything else